The auditor general has reiterated his disappointment with state government agencies consistently not taking appropriate steps to protect and manage their IT systems despite the recent global malware attacks.
The auditor general has reiterated his disappointment with state government agencies consistently not taking appropriate steps to protect and manage their IT systems despite the recent global malware attacks.
Colin Murphy tabled his report in parliament today, which looked at general computer controls across 46 government agencies and the controls around five key business applications.
Mr Murphy said the report revealed common information system weaknesses that could seriously affect the operations of government and potentially compromise sensitive information held by agencies.
“I continue to report the same common weaknesses year after year and yet many agencies are still not taking action,” he said.
“This is particularly frustrating given that many of the issues I’ve raised can be easily addressed – including poor password management and ensuring processes to recover data and operations in the event of an incident are kept updated.”
His comments echoed that of the last audit on 45 state government agencies in June last year, which found more than half weren’t meeting the benchmark in three or more out of the six control categories of: IT operations; management of IT risks; information security; business continuity; change control; and physical security.
Mr Murphy said agencies’ executive management needed to engage with information security, instead of regarding it as a matter for their IT departments.
“As recent high-profile malware threats have shown us, no agency or system is immune from these evolving and ongoing threats,” he said.
“The risk to agency operations and information is real and needs to be taken seriously.”
Mr Murphy said while he was disappointed about the same issues coming up time and time again, the report was not all bad news.
“In the first part of this report, I identified some good practice and improvements across five key business applications,” he said.
“And in the second part I was pleased to identify three agencies that have consistently demonstrated good management controls.
“This report contains recommendations that address common weaknesses across agency IT systems and as such, I encourage all agencies, not just those audited, to take note and act on the findings of this report.”
In a statement earlier this week, the state government said its ministers would speak with their departments to discuss implementation of an updated digitial security policy.
The policy will require agencies to continuously improve their security practices.
